Security is the discipline of using effective protection measures to safeguard important assets from abuse. In other words, security is about protecting important things. Protection involves not just mechanisms (such as locks and doors), but also proper selection and use of mechanisms.
Properly applied, the various disciplines of information security really come down to risk management that is not fundamentally different from risk management in other situations such as finance and insurance.
In learning how to think constructively about managing risks, often the following common sense vocabulary is used:
Asset: something important that needs protection
Risk: likelihood of threat leading to actual abuse
Cost (1): reduction in value of abused asset
Cost (2): amount of resources required to use security measures to protect an asset
Benefit: the value of a security measure
It would be great if these terms asset, value, threat, risk, cost, benefit could be used scientifically, but when it comes to information systems, most of them are pretty squishy. Nevertheless, even a best guess is remarkably useful. If guesses about relative value and likelihood are consistently applied, then it is usually possible to decide on the priority of potential improvements in information security.
Cost becomes a matter of budget. Most people with authority over funds for security can, if properly informed, make good decisions about how to allocate the budget. In many instances, it is possible to analyze whether the incremental value of a high budget would be significant.
Understanding of information security technology is necessary to make informed judgements like these. Fortunately, the essential technological aspects are not rocket science.
There are several types of security issues: data security, computer security, system security, communication security, and network security. The term information security is often used to encompass all of them and to distinguish them from closely related and important issues such as physical security, operational security, and personnel security that do not rely primarily on computing technology.
Computing is as risky as any other aspect of modern life, and in some sense more so because of the complexity of computing systems. Vulnerabilities exist at all levels: network, operating system, middleware and application because all software has bugs, administration is error-prone and users are unreliable.
It is virtually impossible to develop any significant system without some errors in it. We know how to build bridges so the imperfections are tolerable. That is, we can build bridges that do not crash (if proper engineering methodology is followed), but we cannot build systems and applications that do not crash.
In computing systems, flaws are often bugs repeatable situations in which the system behaves in an unintended manner. Each bug can also be a security vulnerability, if the bug can be used in a way that allows a failure of security: either authorized users exceeding their privileges, or unauthorized users gaining access to systems. Furthermore, the complexities of modern computing systems make them difficult to manage.
Configuration and administrative errors also create security vulnerabilities. It can be difficult to determine whether the system is properly configured. For example, to harden Windows NT for usage on the Internet, Microsoft recommends over a hundred specific configuration changes that effectively turn off many features that led people to want to use NT. In addition, security experts have other recommendations in addition to those described by Microsoft.
Computing, like life, has many threats. But what are the risks? Given the wide rage of threats, the sheer number of vulnerabilities, and the ever-increasing number of attackers, the risk is nearly 100 per cent that some incident will occur if information security is not addressed in a systematic manner.
There are many different avenues of attack. Inadequate data security can provide unauthorized users access to sensitive information. Inadequate computer security can result from the use of weak passwords and allow abuse of user accounts. Applications filled with bugs can allow unauthorized transactions. Inadequate system security can result from a mis-configured operating system and allow unintended network access. Eavesdropping and password reuse are examples of inadequate communication security which can result in impersonation of individuals. Inadequate network security can lead to unintended Internet access to private systems.
There are many examples of inadequate security. Who is hurt by these attacks? Internet access in this scenario affects the on-line consumer greatly, sometimes in